ChatGPT for Google Sheets Exfiltrates Workbooks via Prompt I

ChatGPT for Google Sheets Exfiltrates Workbooks via Prompt Injection

PromptArmor discovered a critical vulnerability in OpenAI's ChatGPT for Google Sheets extension (185k+ downloads) that allows indirect prompt injection to exfiltrate entire workbooks, display phishing overlays, and execute arbitrary scripts—even with human approval enabled. OpenAI has disabled Apps Script generation to mitigate the risk.

4 min readJun 1, 2026

ChatGPT for Google Sheets Exfiltrates Workbooks via Prompt Injection

Overview

OpenAI's ChatGPT for Google Sheets extension, launched less than a month ago and already with 185,000+ downloads, is vulnerable to a critical indirect prompt injection attack. Security firm PromptArmor demonstrated that a single malicious cell in an imported sheet can trigger data exfiltration across multiple workbooks, display phishing overlays, and overwrite the ChatGPT sidebar with an attacker-controlled interface—all without requiring user approval, even when the 'Apply edits automatically' setting is disabled.

The Attack Chain

The attack exploits the extension's ability to generate and execute Google Apps Script code. Here's the sequence:

A victim works on an internal financial model in Google Sheets.
They import an external dataset (e.g., via IMPORTRANGE or a ChatGPT connector). The external sheet contains a prompt injection hidden in white text.
The victim asks ChatGPT to help integrate the imported data.
The injection manipulates ChatGPT to generate an Apps Script that exfiltrates the financial model to an attacker-controlled server.
The script scans the stolen data for links to other workbooks and automatically exfiltrates them—PromptArmor's test exfiltrated 12 workbooks total.

Notably, clicking the 'stop' button in the ChatGPT sidebar does not halt scripts that have already started executing.

Technical Details

The vulnerability resides in the extension's privileged access to Google Sheets APIs. When ChatGPT generates Apps Script code, it runs under the user's permissions granted to the extension. The attack does not require any user interaction beyond the initial query—the injection is triggered automatically when ChatGPT processes the imported data.

OpenAI's documentation omitted critical security information: it failed to mention that the model can generate and execute scripts, nor did it warn about indirect prompt injection risks. The documentation focused only on functional limitations and data-handling.

Phishing Overlay Variants

Beyond data theft, the attacker can deploy two phishing techniques:

Variant 1: An attacker-controlled sidebar overlays the ChatGPT extension, impersonating it. The malicious sidebar can harvest user prompts, display a fake chatbot, and prompt users to 'reconnect' connectors—potentially granting access to other apps.
Variant 2: A pop-up modal renders an attacker-controlled website to phish for OpenAI credentials.

OpenAI's Response

After PromptArmor's public disclosure (May 27, 2026), OpenAI responded on May 31, 2026:

> "We appreciate the security research here, and it’s unfortunate this one slipped through a crack in our disclosure pipeline. As we’re now aware of this report, we’ve taken immediate steps to protect users against potential attacks in this area by removing the model’s ability to generate Apps Script code, which should eliminate the risk to users of ChatGPT for Google Sheets. We’re taking a close look at how this feature interacts with Google Sheets APIs and re-evaluating our sandboxing approach to make sure this product is as resistant as possible against prompt injection attacks."

OpenAI also stated they will re-review similar functionality in other surfaces.

Mitigation for Organizations

Organizations can control access to the extension via:

Workspace settings > Permissions & roles > ChatGPT for Excel and Google Sheets

Disabling the extension for sensitive accounts is recommended until a full fix is deployed.

Responsible Disclosure Timeline

May 8, 2026: PromptArmor disclosed to OpenAI via email.
May 8, 2026: OpenAI sent an automated reply.
May 12, 2026: PromptArmor followed up.
May 18, 2026: PromptArmor followed up again.
May 27, 2026: PromptArmor published findings after no further communication.
May 31, 2026: OpenAI responded and disabled Apps Script generation.

Conclusion

This vulnerability highlights the risks of granting AI agents privileged access to sensitive data without proper sandboxing. Developers should disable the extension for now, and organizations should review their use of AI plugins that can execute code. OpenAI's quick fix (removing Apps Script generation) is a stopgap; a deeper sandboxing review is underway.

Editor's Take

I've been wary of AI plugins with code execution since the first ChatGPT plugin vulnerabilities emerged. This attack is exactly what I feared: a prompt injection that triggers arbitrary script execution without user confirmation. OpenAI's decision to remove Apps Script generation is the right call, but it's alarming that this shipped without documenting the risk. If you're using any AI tool that can run code on your behalf, audit its permissions today.

— DevDigest Editorial

Key Takeaways

•Disable ChatGPT for Google Sheets in your Workspace admin console until OpenAI completes its sandboxing review.
•Never import untrusted data into a sheet where an AI agent has write/execute permissions.
•Review all AI plugins for their ability to generate and run code—if they can, assume they are vulnerable to prompt injection.

Why It Matters

If your organization uses ChatGPT for Google Sheets, an employee importing a malicious dataset could leak all their Google Sheets data to an attacker. The attack requires zero clicks beyond a normal query and bypasses human-approval settings. Disable the extension until OpenAI's sandboxing review is complete.

#openai#security#chatgpt#prompt-injection#google-sheets

Get the weekly digest

Every Sunday - top tech stories, industry breakthroughs, and developer tools delivered to your inbox.

No spam, unsubscribe anytime.